[stunnel-users] Problem with the client certificate

Michael Renner michael.renner at gmx.de
Wed Dec 31 18:01:02 CET 2008 

On Tuesday 30 December 2008, you wrote:
> Hello,

Happy new year!

> * are the permissions correct on your files :
> - key must belong to the user and have 0600 status (read only by the user)
> - cert must belong to the user.

I think the permissions are OK. The file is owed by root and loaded at the 
start
Wrote 1024 new random bytes to /root/.rnd
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /etc/stunnel/stunnelclient.pem
Certificate loaded
Key file: /etc/stunnel/stunnelclient.pem
Private key loaded
SSL context initialized for service BreakOut


> * Is the content of the cert file of this form
>
> -----BEGIN CERTIFICATE-----
> certificate data here
> -----END CERTIFICATE-----
> ?
> and the content of the key file this form
> -----BEGIN RSA PRIVATE KEY-----
> key datat here
> -----END RSA PRIVATE KEY-----

I made several files. According to http://www.stunnel.org/faq/certs.html#ToC5
I got a file with a certificate, a RSA Key and a DH section (I removed the 
password for the certificate). 

According to http://www.stunnel.org/examples/client_cert.html I got a 
different file: it has a certificate and a RSA section and between them an 
other  section:

rcnyy/AbS1YPkdggJSnw+fqzg/L/QvQB6GTT5KWJzd0=
-----END RSA PRIVATE KEY-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=Germany, L=Munich, O=vbox4php, OU=Rektorat, 
CN=DE/emailAddress=michael.renner at gmx.de
        Validity
            Not Before: Dec 28 20:37:19 2008 GMT
            Not After : Dec 28 20:37:19 2009 GMT
        Subject: C=DE, ST=Germany, O=vbox4php, OU=stunnel, 
CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b1:05:47:7a:27:4f:19:2b:18:72:e3:3c:f6:a6:
.
.
                    2b:55:2d:c9:dc:96:55:14:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                TinyCA Generated Certificate
            X509v3 Subject Key Identifier:
                86:F6:1F:71:29:AA:A5:61:DF:B2:81:F2:34:3A:A6:9E:58:C8:6A:5E
            X509v3 Authority Key Identifier:
                
keyid:72:68:1A:0C:9D:E9:93:81:07:E9:36:71:75:33:05:C6:70:35:01:BF
                
DirName:/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=Rektorat/CN=DE/emailAddress=michael.renner at gmx.de
                serial:BC:97:82:4E:E3:9F:FE:5A

            X509v3 Issuer Alternative Name:
                email:michael.renner at gmx.de
            X509v3 Subject Alternative Name:
                email:michael.renner at gmx.de
    Signature Algorithm: sha1WithRSAEncryption
        49:ef:06:aa:e5:71:b1:6e:23:87:02:9d:ce:56:e1:3b:77:5a:
.
.
        41:93:92:ee:57:23:95:f3:99:62:27:6a:a4:b7:85:b4:92:86:
        22:50:79:a0
-----BEGIN CERTIFICATE-----

Anyhow: it fails:
2008.12.31 17:51:07 LOG4[13056:1073809760]: VERIFY ERROR: depth=0, 
error=unable to get local issuer 
certificate: /C=DE/ST=Germany/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
2008.12.31 17:51:07 LOG3[13056:1073809760]: SSL_accept: 140890B2: 
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
returned

With strace I can see the the key and the cert is OK on the client side: (I 
assume that it is only read once):

[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
[pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
[pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
[pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
[pid 11829] read(4, "VQQDEwJERTEkMCIGCSqGSIb3\nDQEJARY"..., 4096) = 1425
[pid 11829] read(4, "", 4096)           = 0
[pid 11829] close(4)                    = 0
[pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31 
17:52:56 LOG7[11829:140253752059616]: Certificate loaded
) = 68
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 902008.12.31 
17:52:56 LOG7[11829:140253752059616]: Key 
file: /etc/stunnel/stunnelserver.pem
) = 90
[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
[pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
[pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
[pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
[pid 11829] close(4)                    = 0
[pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31 
17:52:56 LOG7[11829:140253752059616]: Private key loaded


While I see in the clients logfile:
SSL state (connect): SSLv3 flush data
SSL alert (read): fatal: bad certificate
SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert 
bad certificate
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket


Strange!


One more hint?
-- 
|Michael Renner      E-mail: michael.renner at gmx.de  |
|D-81541 Munich      Germany        ICQ: #112280325 |
|Germany             Don't drink as root!      ESC:wq

More information about the stunnel-users mailing list